License-card-controlled chip card system

ABSTRACT

A chip card system, whose chip cards (AK, LK) have in each case at least one internal processor (P) and a non-volatile memory (S) at least for an operating system of the processor (P). There are a multiplicity of user chip cards (AKn) whose processors (P) can in each case execute user command instructions only after an activation, and there is at least one license chip card (LK), in whose non-volatile memory (S) a limitable number of activatable user chip cards (AKn) can be managed. By means of at least one read-write station (AKg) for chip cards (LK), the activation of the internal processor (P) is effected in a user chip card (AKi) if in the memory (S) of the license chip card (LK) the number of activatable user chip cards (AKn) is not yet exhausted. Thereafter, the number of activatable user chip cards (AKn) is decremented in the memory (S) of the license chip card (LK).

FIELD OF THE INVENTION

The present invention relates to a chip card system, in particular, asystem which is controlled by a license card.

BACKGROUND INFORMATION

Chip cards are increasingly being used in a wide variety of areas ofdaily life. Therefore a very great number of such cards are incirculation. Usually, many measures are taken to avoid pecuniary losses,in particular for the respective card owner, once the chip card has beenissued, i.e. during normal use. For example, after the loss of a card,at least, unauthorized use of the card by any third party must beprevented.

Owing to the increasing numbers in distribution, however, measures mustalso be taken on the one hand to protect, in particular, sizeablebatches of cards already before they are individually issued to finalcustomers, and on the other hand to monitor or limit the quantity ofcards legally issued to final customers or the quantity of cards whichcan be issued as a maximum, for example for a period of time, or anamount of remuneration currently paid to a licensor or service provider.

For example, cards are sent in sometimes very large quantities by a cardmanufacturer to a distributor of cards, for example to a financialinstitution. This transfer is comparable to the transportation of largeamounts of money between banks and is consequently subject tocorresponding risks. Furthermore, it is often desirable on the part ofthe distributor of cards to monitor, document and limit exactly thenumber of cards which can be issued, for example per employee, to finalcustomers in order to rule out as far as possible the risk of misuse.Since handing over a card to a final customer generally makes itpossible for the latter to make use of services, considerable pecuniarylosses can be caused by chip cards which are brought into circulationimpermissibly, sometimes in quite a large quantity.

The document DE 30 41 393 C2 describes a method of producing apredetermined number of authorization cards having a storage medium. Bymeans of a master card and a first activation station, a limited numberof authorization cards is activated. The activation of authorizationcards is performed only if the number of activatable authorization cardswhich is stored in the memory of the master card has not yet beenexhausted. After each activating operation, the number of activatableauthorization cards is decremented in the memory of the master card. Inaddition, in the authorization cards there may be a supplemental scopeof authorization whereby a predetermined number of additional cards canbe activated by a second activation station.

SUMMARY OF THE INVENTION

An object of the present invention is to provide a card system with thehighest possible data and falsification security for producing apredetermined number of chip cards.

The aforementioned object is achieved by a chip card system with chipcards which each have at least one internal processor and a non-volatilememory for holding at least an operating system of the processor. Thesystem includes at least one read-write station for chip cards, amultiplicity of user chip cards, whose processors can each execute usercommand instructions only after an activation, and at least one licensechip card, in whose non-volatile memory a limitable number ofactivatable user chip cards can be managed. In the system of the presentinvention, for initiation of an activation, a random number is generatedby the processor of a user chip card and is transmitted by means of theread-write station to the license chip card. In the event that thenumber of activatable user chip cards in the memory of the license chipcard is not yet exhausted, an enabling identification dependent on therespective random number is generated by the processor of the licensechip card and is transmitted by means of the read-write station to theuser chip card. The enabling identification is checked by the processorof the user chip card for correspondence with the random number. Ifthere is a positive outcome of the check, an activation of the entireset of permissible user command instructions is effected, and the numberof activatable user chip cards in the memory of the license chip card isdecremented.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a chip card system in accordance with thepresent invention.

FIG. 2 shows the loading into non-volatile memory of a user chip card ofan activation data set required by the operating system of the chip cardto execute user command instructions, in accordance with the presentinvention.

DETAILED DESCRIPTION

The chip card system according to the present invention has in principletwo types of chip cards. First, there is generally a very large numberof "user chip cards" AKn. In the example of FIG. 1, some of these areshown as fanned-out cards at the top right, with further explanation ofthe user chip card AKi represented in the foreground. It is essentialfor the present invention that there is a further chip card type, whichhas the function of an activating card and is to be referred to in thefollowing as a "license card". There are, of course, only very few cardsof this chip card type in the possession of selected, speciallyauthorized persons. It is even possible that there is only one such cardin circulation. In the example of FIG. 1, such a license chip card LK isrepresented at the top left.

Advantageously, all the cards of the chip card system are identical interms of hardware, and differ in the type of the particular user programused. This simplifies the manufacture of the chip cards of the systemconsiderably. Accordingly, in the example of FIG. 1, both the user chipcards AKi and the, by way of example, one license chip card LK have thesame hardware elements. These are essentially in each case an internalprocessor P, a non-volatile memory S, at least for receiving anoperating system of the processor P, an interface DS for data exchangewith a read-write station AKG, which may for example be configured inthe form of a contact area for wired data exchange or in the form of anaerial for wire-free data exchange, and a chip card-internal data busDB.

According to the present invention, the user chip cards AKn areorganized in such a way that their processor P can in each case onlyexecute user command instructions after an activation, while in thenon-volatile memory S of the at least one license card LK, a limitablenumber of activatable user chip cards AKn can be handled. Finally, thechip card system according to the invention has at least one read-writestation AKG for chip cards LK or AKn, by means of which station theactivation of the internal processor P is brought about in a user chipcard AKi if in the memory S of the license card LK the maximum number ofactivatable user chip cards AKn is not yet exhausted. After a successfulactivation, in the memory S of the licensed chip card LK a decrementingof the number of activatable user chip cards AKn is in turn broughtabout with the aid of the read-write station AKG.

For the data exchange between a license chip card LK and a user chipcard AK currently to be processed, in the case of wireless datatransmission, for example, both chip cards must be brought into thetransmitting range of the read-write station AKG. In the case of wireddata exchange, it may be necessary to introduce the chip cards into theread-write station AKG and withdraw them, sometimes alternately severaltimes in succession. In the case of the configuration represented inFIG. 1, the read-write station AXG has, for example, two card-readingunits. The first card-reading unit KL1 serves for receiving the licensechip card LK, while the second card-reading unit KL2 serves forreceiving a user chip card AKi. In such a case, it is advantageous thatchip cards do not have to be changed in order to activate a user chipcard.

In the case of a preferred embodiment of the invention, for initiatingan activation, a random number Z is first generated by the processor Pof a user chip card AKi and is transmitted by means of the read-writestation AKG to the license chip card LK. Such a case is represented inthe Example of FIG. 1 with the aid of curved arrows, which indicate therespective direction of the data transfer between the data interface DSof the respective chip card and the read-write station AKG. Forinstance, a random number Z is read from the user chip card AKi by meansof the card-reading unit KL2, and is loaded by means of the card-readingunit KL1 into the memory S of the license chip card LK.

Then, in the event that the number of activatable chip cards AKn, whichis contained in the non-volatile memory S, is not yet exhausted, anenabling identification FDi (Z), dependent on the respective randomnumber, is generated by the processor P of the license chip card LK, isloaded by means of the card-reading unit KU into the read-write stationAKG and is finally written back by means of the card-reading unit KL2into the user chip card AKi. The enabling identification FDi is checkedby the processor P of the user chip card AKi for correspondence with therandom number, and, if there is a positive outcome of the check, anactivation of the entire set of permissible user command instructions iseffected. In the event that the number of activatable user chip cardshas been used up, the license chip card either transmits no enablingidentification or transmits an invalid enabling identification, i.e.combined with the random number in an impermissible way for example, tothe requesting user chip card.

Therefore, in the case of this configuration of the invention, the userchip cards AKn activate themselves after successful reception of apermissible enabling identification.

Therefore, the system of the present invention has the dual advantagethat on the one hand user chip cards are entirely unusable before anactivation, and on the other hand the activation of user chip cards canbe monitored within a narrowly limitable framework with the aid of thesystem of the license chip card.

In the case of another configuration of the chip card system accordingto the invention, the activation of a user chip card AKi is carried outby transmission of an enabling data set, required by the operatingsystem for the execution of user command instructions, into thenonvolatile memory of the user chip card AKi via the read-write stationAKG. In this case, the user chip cards are not capable of activatingthemselves. Rather, the enabling data set is essential for achievingfull operability.

Once again, in this case, for initiating an activation, a request fortransfer of an enabling data set FDi is advantageously transmitted bythe processor P of a user chip card AKi first by means of the read-writestation AK to the license chip card (LK). Then, in the event that thenumber of activatable user chip cards AKn in the non-volatile memory Sis not yet exhausted, an enabling data set FDi is called or generated bythe processor P of the license chip card LK and is in turn transmittedby means of the read-write station AKG to the user chip card AKi.Finally, to permit operation of the entire set of permissible usercommand instructions of the operating system, the said enabling data setis properly linked by the processor P of the user chip card AKi into thenon-volatile memory S containing at least the operating system of theuser chip card AKi.

In the case of this configuration of the invention, security withrespect to impermissible manipulations is further improved since theuser chip cards are not capable of operating in any data handling wayand consequently cannot be activated in an unauthorized way without anenabling data set, if appropriate additionally individualized for therespective user chip card.

This configuration of the chip card system according to the invention isexplained in more detail below with reference to the example of FIG. 2.In this case, a command table KTB, specific to the operating system, inthe non-volatile program memory S of the processor, preferably serves asthe enabling data set, whereby the assignment adr 1 . . . adr k . . .adr n of user command instructions AWBx to the parts of the operatingsystem BSC of the user chip card AKi respectively executing the saidinstructions is established.

In addition to this, it may be advantageous if the internal processor Pand a non-volatile program memory S, serving for receiving an operatingsystem for the operation of the processor P, and beyond this in turn, ifappropriate, further functional elements of the user chip card, such asfor example energy supply, data interface for the exchange of databetween the chip card and external read and write stations and the like,are matched to each other in such a way that, after its manufacture, theuser chip card can execute a command instruction only when it is broughtinto data-handling connection with a read-write station for the firsttime. This command instruction effects the reloading of a command tablespecific to the operating system into the non-volatile memory of theprocessor. Only after successful completion of this loading operation isit possible to assign further user command instructions, supplied to theuser chip card, in particular via external read-write stations, to therespective operating system parts provided for their execution. Theexecution of the command instructions necessary for proper operabilityof the chip card, with respect to all maximum possible operations duringnormal use, is consequently not possible until the command table hasbeen linked in.

This configuration offers the advantage that, under certaincircumstances, even very large quantities of newly manufactured chipcards are virtually completely unusable. They are instead usuallyrendered usable separately for each individual chip card onlyimmediately before they are passed on to the authorized end user. Newlymanufactured chip cards, in whose non-volatile memory or other memoryareas the coding of the successive operating system command instructionsis indeed loaded, are not operable because, due to the missing commandtable, incoming user command instructions cannot be identified and theoperating system part or parts required for their execution cannot beactivated owing to the absence of the associated branch addresses. Inpractice, it is virtually impossible with reasonable expenditure, interms of time and means, to reconstruct the functional structure of theoperating system by way of a kind of reverse engineering in such a waythat the parts necessary for the execution of individual user commandinstructions and their possible interactions, in the form of entryaddresses, become accessible.

The design of a user chip card, according to this configuration of theinvention, offers the advantage that, before its authorization byreloading the command table usually directly before passing-on into thepossession of the new user, the chip card is protected against virtuallyany type of unauthorized use, without complex measures having to beprovided in the hardware or software area of the chip card, which wouldmake manufacture of the chip card more expensive and possibly restrictits serviceability. On the one hand, it is possible to simply upgradethe chip card so that it will be able to exclusively execute the loadingcommand for the command table. On the other hand, the reloading of thecommand table does not present any problems in terms of data handlingfor an institution legitimately in possession of the code of the commandtable, such as for example a bank. In this operation, if need be, anydesired further data individualizing the respective chip card, forexample with respect to the new user, can also be simultaneouslytransferred.

Apart from preventing unauthorized use of user chip cards before theyare passed on for normal use, the system of the present invention alsoprevents the program code itself, in particular the code of theoperating system, applied to the chip card during manufacture, frombeing viewed in an unauthorized way or being changed in an unauthorizedor unprofessional way in this intermediate phase.

For explanation, on the right-hand side of FIG. 2 there is represented,by way of example in graphic tabular form, a section from the sequenceof the successive instructions of an operating system code BSC. In thiscase, one should visualize the table as continuing both upwards anddownwards. The section shows, by way of example, a preceding entryaddress adr k-1 and a following entry address adr k. The line of theoperating system command code assigned to one of these entry addressesand the lines of the operating system command code then following up tothe next entry address form a group which effects the execution of aspecific user command.

In the example of FIG. 2, the user chip card is supplied with a currentuser command AWB x, preferably from an external read-write station. Thiscommand is to be executed by the operating system. For this a commandtable KTB is required, which represents as it were a key permittingaccess to the functional subunits of the operating system BSC. By way ofexample, each line of the command table KTB comprises a first code partbic k, which serves for the interpretation, i.e. identification of thetype, of the current user command AWB x, and a second code part adr k,which contains the start address of the associated operating systemcommand sequence. The command table KTB consequently comprises a firstsub-table BIT, which contains the codes serving for commandinterpretation, bic 1, bic 2, bic 3 . . . bic k . . . bic n-1, bic n,and a second sub-table BSC, which contains the associated entryaddresses adr 1, adr 2, adr 3 . . . adr k . . . adr n-1, adr n of thecorresponding operating system sequences.

In the case of the example represented in FIG. 2, a user command denotedby AWB x is supplied to the chip card. This command is identified by thecoding bic k as a permissible command, which is represented in thefigure by a line in dash form (broken line) on the left-hand side of thecommand table KTB. The associated entry address adr k is then activatedand, as a result, the code of the operating system BSC is executed fromthe beginning at the entry address adr k. In the figure, the call-up ofthe operating system sequence belonging to the user command AWB x isrepresented by an arrow SBS running from the corresponding cell of thecommand table KTB to the entry address adr k. It is evident from theexample of the figure that no user command AWB x can be executed withoutthe bridge function of a command table KTB since no assignment of theuser command to the associated part of the operating system is possible.This configuration of the chip card according to the inventionconsequently represents extraordinarily effective protection againstunauthorized use of newly manufactured chip cards.

Finally, the data exchange between a user chip card AKi and the licensechip card LK, by means of the read-write station AKG, may advantageouslybe performed in a cryptologically encoded form.

What is claimed is:
 1. A chip card system comprising:a user chip card,the user chip card including a processor and a non-volatile memory, thenon-volatile memory storing an operating system of the processor; alicense chip card, the license chip card including a processor and anon-volatile memory, the non-volatile memory storing a number indicativeof the number of user chip cards that can be activated; and a read-writestation,wherein: in order to activate the user chip card, the processorof the user chip card generates a random number which is transmitted bymeans of the read-write station to the license chip card, if the numberstored in the non-volatile memory of the license chip card indicatesthat the number of activatable user chip cards is not yet exhausted, theprocessor of the user chip card generates an enabling identification asa function of the random number, and the enabling identification istransmitted via the read-write station to the user chip card, theenabling identification is checked by the processor of the user chipcard for correspondence with the random number and if there iscorrespondence, a set of permissible user command instructions isactivated, and the number stored in the non-volatile memory of thelicense chip card indicative of the number of activatable user chipcards is decremented.
 2. The system of claim 1, wherein:in order toactivate the user chip card, the processor of the user chip cardtransmits to the license chip card, via the read-write station, arequest for transfer of an enabling data set, if the number stored inthe non-volatile memory of the license chip card indicates that thenumber of activatable user chip cards is not yet exhausted, theprocessor of the license chip card generates an enabling data set, andthe enabling data set is transmitted via the read-write station to theuser chip card, and the processor of the user chip card loads theenabling data set into the non-volatile memory containing the operatingsystem of the user chip card, thereby activating the set of permissibleuser command instructions of the operating system of the user chip card.3. The system of claim 2, wherein the enabling data set includes acommand table specific to the operating system stored in thenon-volatile program memory of the user chip card, the command tableestablishing an assignment of user command instructions to respectiveparts of the operating system of the user chip card which execute saiduser command instructions.
 4. The system of claim 1, wherein hardware ofthe license chip card and hardware of the user chip card are identical.5. The system of claim 1, wherein data exchanged between the user chipcard and the license chip card via the read-write station is in acryptologically encoded form.
 6. A chip card system comprising:a userchip card, the user chip card including a processor and a non-volatilememory, the non-volatile memory storing an operating system of theprocessor; a license chip card, the license chip card including aprocessor and a non-volatile memory, the non-volatile memory storing anumber indicative of the number of user chip cards that can beactivated; and a read-write station,wherein: the user chip card isactivated by transmission of a command table specific to an operatingsystem of the user chip card into the non-volatile memory of the userchip card if the number stored in the non-volatile memory of the licensechip card indicates that the number of activatable user chip cards isnot yet exhausted, the command table establishing an assignment of usercommand instructions to respective parts of the operating system of theuser chip card which execute said user command instructions, and thenumber stored in the non-volatile memory of the license chip cardindicative of the number of activatable user chip cards is decremented.7. The system of claim 6, wherein hardware of the license chip card andhardware of the user chip card are identical.
 8. The system of claim 6,wherein data exchanged between the user chip card and the license chipcard via the read-write station is in a cryptologically encoded form.